What Changed
To enhance overall security, we modified internal logic associated with type name processing (including, but not limited to our deserialization mechanism).
If the following properties utilize untrusted types, restore operations involving these APIs will generate security warnings:
Charts
- DevExpress.Xpf.Charts.PieTotalLabel.Content
- DevExpress.Xpf.Charts.AxisCoordinate.AxisValue
- DevExpress.Xpf.Charts.Annotation.Content
- DevExpress.Xpf.Charts.Range.MinValue
- DevExpress.Xpf.Charts.Range.MaxValue
- DevExpress.Xpf.Charts.ScaleBreak.Edge1
- DevExpress.Xpf.Charts.ScaleBreak.Edge2
- DevExpress.Xpf.Charts.FinancialIndicator.Argument1
- DevExpress.Xpf.Charts.FinancialIndicator.Argument2
- DevExpress.Xpf.Charts.Indicator.Legend
- DevExpress.Xpf.Charts.NestedDonutSeries2D.Group
- DevExpress.Xpf.Charts.ConstantLine.Value
- DevExpress.Xpf.Charts.ConstantLine.Legend
- DevExpress.Xpf.Charts.CustomAxisLabel.Value
- DevExpress.Xpf.Charts.CustomAxisLabel.Content
- DevExpress.Xpf.Charts.BarSideBySideFullStackedSeries2D.StackedGroup
- DevExpress.Xpf.Charts.BarSideBySideStackedSeries2D.StackedGroup
- DevExpress.Xpf.Charts.DataFilter.Value
- DevExpress.Xpf.Charts.TitleBase.Content
- DevExpress.Xpf.Charts.SeriesPoint.ToolTipHint
- DevExpress.Xpf.Charts.Series.ToolTipHint
- DevExpress.Xpf.Charts.Series.Legend
- DevExpress.Xpf.Charts.Strip.MinLimit
- DevExpress.Xpf.Charts.Strip.MaxLimit
- DevExpress.Xpf.Charts.Strip.Legend
- DevExpress.Xpf.Charts.AxisRange.MinValue
- DevExpress.Xpf.Charts.AxisRange.MaxValue
Diagram Control
- DevExpress.Xpf.Diagram.DiagramContentItem.Content
Dock and Layout Manager
- DevExpress.Xpf.Docking.LabelItem.Content
- DevExpress.Xpf.Docking.BaseLayoutItem.Caption
- DevExpress.Xpf.Docking.BaseLayoutItem.TabCaption
- DevExpress.Xpf.Docking.BaseLayoutItem.ToolTip
Layout Control
- DevExpress.Xpf.LayoutControl.LayoutGroup.Header
- DevExpress.Xpf.LayoutControl.LayoutItem.Label
Data Grid and Tree List
- DevExpress.Xpf.Grid.ColumnBase.ColumnChooserHeaderCaption
- DevExpress.Xpf.Grid.IndicatorFormatConditionBase.MinValue
- DevExpress.Xpf.Grid.IndicatorFormatConditionBase.MaxValue
- DevExpress.Xpf.Grid.FormatCondition.Value1
- DevExpress.Xpf.Grid.FormatCondition.Value2
- DevExpress.Xpf.Grid.BaseColumn.Header
- DevExpress.Xpf.Grid.BaseColumn.HeaderToolTip
- DevExpress.Xpf.Grid.DataViewBase.DetailHeaderContent
- DevExpress.Xpf.Grid.DataViewBase.Header
- DevExpress.Xpf.Grid.TreeListView.RootValue
Tree View
- DevExpress.Xpf.Grid.TreeViewControl.RootValue
Pivot Grid
- DevExpress.Xpf.PivotGrid.FormatCondition.Value1
- DevExpress.Xpf.PivotGrid.FormatCondition.Value2
- DevExpress.Xpf.PivotGrid.IndicatorFormatConditionBase.MinValue
- DevExpress.Xpf.PivotGrid.IndicatorFormatConditionBase.MaxValue
- DevExpress.Xpf.PivotGrid.PivotGridField.SummaryFilterStartValue
- DevExpress.Xpf.PivotGrid.PivotGridField.SummaryFilterEndValue
- DevExpress.Xpf.PivotGrid.SortByCondition.Value
Reasons for Change
This change enhances overall app security by detecting code that processes untrusted types.
Impact on an Existing App
If you utilize untrusted types, restore operations involving these APIs will generate security warnings.
How to Update an Existing App
Properties listed above are not deserialized if they include a custom type value. Deserialization for a custom type is only available for string values.
To deserialize custom types, specify a converter (via the IOneTypeObjectConverter
interface) that converts a custom type to/from a string. This converter is invoked automatically whenever our deserialization mechanism encounters a registered custom type:
C#using DevExpress.Utils.Serializing.Helpers;
struct CustomType {
public readonly int Value;
public CustomType(int value) {
this.Value = value;
}
}
public class CustomTypeConverter : IOneTypeObjectConverter {
public Type Type {
get { return typeof(CustomType); }
}
public string ToString(object obj) {
return ((CustomType)obj).Value.ToString("D");
}
public object FromString(string str) {
return new CustomType(int.Parse(str));
}
}
// Register the converter at application startup.
ObjectConverter.Instance.RegisterConverter(new CustomTypeConverter());
How to Revert to Previous Behavior
The previous behavior is no longer available.
See Also
WinForms - System.Object type properties: Deserialization-related changes